The American Council for Technology-Industry Advisory Council (ACT-IAC), a non commercial organisation for creating a more innovative government published a paper on Zero Trust

I would recommend this paper for anybody in and outside the federal space remotely thinking about Zero Trust, be it because you start thinking about introducing it or because it is just one of those trends that you want to catch up on.

There is a huge amount of truth and knowledge in this document and it is not having any marketing in it. I read it and thought this is sound advice for anyone that looks to improve their security posture with the ultimate, long term Zero Trust goal in mind.

Zero Trust is an evolutionary framework, not a revolutionary approach. It builds on existing security concepts and does not introduce a radical new approach to cybersecurity. Like most security concepts, Zero Trust relies on a fundamental understanding of an organization’s services, data, users, and endpoints to be effective. There is no “free lunch” regarding up-front resource investment. Policy definitions, concepts of deployment, trust determination (and decay), enforcement mechanisms, logging aggregation, etc., all need to be considered prior to deploying a solution. That said, many large-scale organizations (such as Google, Akamai, and Purdue) that have made the investment show real return on security investment. The critical question becomes whether ZT is mature enough to be a compelling choice for government today.

It also features a great list on how to start with micro segmentation which i think really makes a lot of sense if you want to start this journey:

  1. Perform an audit. Map all forms of network connectivity
  2. Identify risks.
  3. Define a "default-deny" segmentation approach
  4. 4. Define policy by segment
  5. Assess the technology gap

The PDF is linked to in the below section.